[openwrt/openwrt] lua5.3: backport CVE fix

LEDE Commits lede-commits at lists.infradead.org
Fri Feb 16 16:55:53 PST 2024 

ansuel pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/24d3eb7629d3e20a9c0d3dd47c84e75003df1199

commit 24d3eb7629d3e20a9c0d3dd47c84e75003df1199
Author: Rosen Penev <rosenp at gmail.com>
AuthorDate: Sat Feb 10 18:13:10 2024 -0800

    lua5.3: backport CVE fix
    
    Also refreshed some patches
    
    Signed-off-by: Rosen Penev <rosenp at gmail.com>
---
 package/utils/lua5.3/Makefile                      |  2 +-
 .../patches-host/001-include-version-number.patch  |  1 -
 .../lua5.3/patches-host/200-CVE-2019-6706.patch    | 51 ++++++++++++++++++
 .../patches/001-include-version-number.patch       |  1 -
 .../utils/lua5.3/patches/020-shared_liblua.patch   | 60 +++++++++++-----------
 .../utils/lua5.3/patches/200-CVE-2019-6706.patch   | 51 ++++++++++++++++++
 6 files changed, 133 insertions(+), 33 deletions(-)

diff --git a/package/utils/lua5.3/Makefile b/package/utils/lua5.3/Makefile
index 0a295040f2..405fa90145 100644
--- a/package/utils/lua5.3/Makefile
+++ b/package/utils/lua5.3/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=lua
 PKG_VERSION:=5.3.5
-PKG_RELEASE:=5
+PKG_RELEASE:=6
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.lua.org/ftp/ \
diff --git a/package/utils/lua5.3/patches-host/001-include-version-number.patch b/package/utils/lua5.3/patches-host/001-include-version-number.patch
index 78f0054960..1c9fdb250b 100644
--- a/package/utils/lua5.3/patches-host/001-include-version-number.patch
+++ b/package/utils/lua5.3/patches-host/001-include-version-number.patch
@@ -8,7 +8,6 @@ Including it allows multiple lua versions to coexist.
 Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
 ---
 
-diff --git a/Makefile b/Makefile
 --- a/Makefile
 +++ b/Makefile
 @@ -12,7 +12,7 @@ PLAT= none
diff --git a/package/utils/lua5.3/patches-host/200-CVE-2019-6706.patch b/package/utils/lua5.3/patches-host/200-CVE-2019-6706.patch
new file mode 100644
index 0000000000..8024d414cc
--- /dev/null
+++ b/package/utils/lua5.3/patches-host/200-CVE-2019-6706.patch
@@ -0,0 +1,51 @@
+From 89aee84cbc9224f638f3b7951b306d2ee8ecb71e Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto at inf.puc-rio.br>
+Date: Wed, 27 Mar 2019 14:30:12 -0300
+Subject: [PATCH] Fixed bug in 'lua_upvaluejoin'
+
+Bug-fix: joining an upvalue with itself could cause a use-after-free
+crash.
+---
+ src/lapi.c   | 12 +++++------
+ 1 file changed, 41 insertions(+), 39 deletions(-)
+
+--- a/src/lapi.c
++++ b/src/lapi.c
+@@ -1254,13 +1254,12 @@ LUA_API const char *lua_setupvalue (lua_
+ }
+ 
+ 
+-static UpVal **getupvalref (lua_State *L, int fidx, int n, LClosure **pf) {
++static UpVal **getupvalref (lua_State *L, int fidx, int n) {
+   LClosure *f;
+   StkId fi = index2addr(L, fidx);
+   api_check(L, ttisLclosure(fi), "Lua function expected");
+   f = clLvalue(fi);
+   api_check(L, (1 <= n && n <= f->p->sizeupvalues), "invalid upvalue index");
+-  if (pf) *pf = f;
+   return &f->upvals[n - 1];  /* get its upvalue pointer */
+ }
+ 
+@@ -1269,7 +1268,7 @@ LUA_API void *lua_upvalueid (lua_State *
+   StkId fi = index2addr(L, fidx);
+   switch (ttype(fi)) {
+     case LUA_TLCL: {  /* lua closure */
+-      return *getupvalref(L, fidx, n, NULL);
++      return *getupvalref(L, fidx, n);
+     }
+     case LUA_TCCL: {  /* C closure */
+       CClosure *f = clCvalue(fi);
+@@ -1286,9 +1285,10 @@ LUA_API void *lua_upvalueid (lua_State *
+ 
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
+-  UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
++  UpVal **up1 = getupvalref(L, fidx1, n1);
++  UpVal **up2 = getupvalref(L, fidx2, n2);
++  if (*up1 == *up2)
++    return;
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+   (*up1)->refcount++;
diff --git a/package/utils/lua5.3/patches/001-include-version-number.patch b/package/utils/lua5.3/patches/001-include-version-number.patch
index 78f0054960..1c9fdb250b 100644
--- a/package/utils/lua5.3/patches/001-include-version-number.patch
+++ b/package/utils/lua5.3/patches/001-include-version-number.patch
@@ -8,7 +8,6 @@ Including it allows multiple lua versions to coexist.
 Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
 ---
 
-diff --git a/Makefile b/Makefile
 --- a/Makefile
 +++ b/Makefile
 @@ -12,7 +12,7 @@ PLAT= none
diff --git a/package/utils/lua5.3/patches/020-shared_liblua.patch b/package/utils/lua5.3/patches/020-shared_liblua.patch
index 7fa9652290..a462fa4f1e 100644
--- a/package/utils/lua5.3/patches/020-shared_liblua.patch
+++ b/package/utils/lua5.3/patches/020-shared_liblua.patch
@@ -1,5 +1,5 @@
---- a/Makefile	2019-07-02 09:24:57.554332875 -0600
-+++ b/Makefile	2019-07-02 09:25:42.626694604 -0600
+--- a/Makefile
++++ b/Makefile
 @@ -41,7 +41,7 @@ PLATS= aix bsd c89 freebsd generic linux
  # What to install.
  TO_BIN= lua$V luac$V
@@ -19,8 +19,8 @@
  	cd doc && $(INSTALL_DATA) $(TO_MAN) $(INSTALL_MAN)
  
  uninstall:
---- a/src/ldo.h	2017-04-19 11:20:42.000000000 -0600
-+++ b/src/ldo.h	2019-07-02 09:25:42.626694604 -0600
+--- a/src/ldo.h
++++ b/src/ldo.h
 @@ -47,8 +47,8 @@ LUAI_FUNC int luaD_pcall (lua_State *L,
  LUAI_FUNC int luaD_poscall (lua_State *L, CallInfo *ci, StkId firstResult,
                                            int nres);
@@ -32,8 +32,8 @@
  LUAI_FUNC void luaD_inctop (lua_State *L);
  
  LUAI_FUNC l_noret luaD_throw (lua_State *L, int errcode);
---- a/src/lfunc.h	2017-04-19 11:39:34.000000000 -0600
-+++ b/src/lfunc.h	2019-07-02 09:25:42.630694635 -0600
+--- a/src/lfunc.h
++++ b/src/lfunc.h
 @@ -47,14 +47,14 @@ struct UpVal {
  #define upisopen(up)	((up)->v != &(up)->u.value)
  
@@ -55,8 +55,8 @@
                                           int pc);
  
  
---- a/src/lgc.h	2017-04-19 11:39:34.000000000 -0600
-+++ b/src/lgc.h	2019-07-02 09:25:42.634694666 -0600
+--- a/src/lgc.h
++++ b/src/lgc.h
 @@ -133,11 +133,11 @@
  
  LUAI_FUNC void luaC_fix (lua_State *L, GCObject *o);
@@ -71,8 +71,8 @@
  LUAI_FUNC void luaC_barrierback_ (lua_State *L, Table *o);
  LUAI_FUNC void luaC_upvalbarrier_ (lua_State *L, UpVal *uv);
  LUAI_FUNC void luaC_checkfinalizer (lua_State *L, GCObject *o, Table *mt);
---- a/src/llex.h	2017-04-19 11:20:42.000000000 -0600
-+++ b/src/llex.h	2019-07-02 09:25:42.630694635 -0600
+--- a/src/llex.h
++++ b/src/llex.h
 @@ -73,13 +73,13 @@ typedef struct LexState {
  
  
@@ -92,8 +92,8 @@
  
  
  #endif
---- a/src/lmem.h	2017-04-19 11:20:42.000000000 -0600
-+++ b/src/lmem.h	2019-07-02 09:25:42.630694635 -0600
+--- a/src/lmem.h
++++ b/src/lmem.h
 @@ -56,12 +56,12 @@
  #define luaM_reallocvector(L, v,oldn,n,t) \
     ((v)=cast(t *, luaM_reallocv(L, v, oldn, n, sizeof(t))))
@@ -110,8 +110,8 @@
                                 size_t size_elem, int limit,
                                 const char *what);
  
---- a/src/lobject.h	2017-04-19 11:39:34.000000000 -0600
-+++ b/src/lobject.h	2019-07-02 09:25:42.630694635 -0600
+--- a/src/lobject.h
++++ b/src/lobject.h
 @@ -525,7 +525,7 @@ typedef struct Table {
  #define luaO_nilobject		(&luaO_nilobject_)
  
@@ -141,8 +141,8 @@
  
  
  #endif
---- a/src/lopcodes.h	2017-04-19 11:20:42.000000000 -0600
-+++ b/src/lopcodes.h	2019-07-02 09:25:42.630694635 -0600
+--- a/src/lopcodes.h
++++ b/src/lopcodes.h
 @@ -278,7 +278,7 @@ enum OpArgMask {
    OpArgK   /* argument is a constant or register/constant */
  };
@@ -161,8 +161,8 @@
  
  
  /* number of list items to accumulate before a SETLIST instruction */
---- a/src/lstate.h	2017-04-19 11:39:34.000000000 -0600
-+++ b/src/lstate.h	2019-07-02 09:25:42.630694635 -0600
+--- a/src/lstate.h
++++ b/src/lstate.h
 @@ -244,9 +244,9 @@ union GCUnion {
  
  LUAI_FUNC void luaE_setdebt (global_State *g, l_mem debt);
@@ -176,8 +176,8 @@
  
  
  #endif
---- a/src/lstring.h	2017-04-19 11:20:42.000000000 -0600
-+++ b/src/lstring.h	2019-07-02 09:25:42.630694635 -0600
+--- a/src/lstring.h
++++ b/src/lstring.h
 @@ -35,15 +35,15 @@
  
  LUAI_FUNC unsigned int luaS_hash (const char *str, size_t l, unsigned int seed);
@@ -198,8 +198,8 @@
  
  
  #endif
---- a/src/ltable.h	2018-05-24 13:39:05.000000000 -0600
-+++ b/src/ltable.h	2019-07-02 09:25:42.630694635 -0600
+--- a/src/ltable.h
++++ b/src/ltable.h
 @@ -41,14 +41,14 @@
  
  
@@ -218,8 +218,8 @@
  LUAI_FUNC void luaH_resize (lua_State *L, Table *t, unsigned int nasize,
                                                      unsigned int nhsize);
  LUAI_FUNC void luaH_resizearray (lua_State *L, Table *t, unsigned int nasize);
---- a/src/ltm.h	2017-04-19 11:20:42.000000000 -0600
-+++ b/src/ltm.h	2019-07-02 09:25:42.634694666 -0600
+--- a/src/ltm.h
++++ b/src/ltm.h
 @@ -55,10 +55,10 @@ typedef enum {
  LUAI_DDEC const char *const luaT_typenames_[LUA_TOTALTAGS];
  
@@ -245,8 +245,8 @@
                                  const TValue *p2, TMS event);
  
  
---- a/src/lundump.h	2017-04-19 11:20:42.000000000 -0600
-+++ b/src/lundump.h	2019-07-02 09:25:42.634694666 -0600
+--- a/src/lundump.h
++++ b/src/lundump.h
 @@ -23,10 +23,10 @@
  #define LUAC_FORMAT	0	/* this is the official format */
  
@@ -260,8 +260,8 @@
                           void* data, int strip);
  
  #endif
---- a/src/lzio.h	2017-04-19 11:20:42.000000000 -0600
-+++ b/src/lzio.h	2019-07-02 09:25:42.634694666 -0600
+--- a/src/lzio.h
++++ b/src/lzio.h
 @@ -61,6 +61,6 @@ struct Zio {
  };
  
@@ -270,8 +270,8 @@
 +LUA_API int luaZ_fill (ZIO *z);
  
  #endif
---- a/src/Makefile	2019-07-02 09:24:57.554332875 -0600
-+++ b/src/Makefile	2019-07-02 09:25:42.630694635 -0600
+--- a/src/Makefile
++++ b/src/Makefile
 @@ -29,6 +29,7 @@ MYOBJS=
  PLATS= aix bsd c89 freebsd generic linux macosx mingw posix solaris
  
diff --git a/package/utils/lua5.3/patches/200-CVE-2019-6706.patch b/package/utils/lua5.3/patches/200-CVE-2019-6706.patch
new file mode 100644
index 0000000000..8024d414cc
--- /dev/null
+++ b/package/utils/lua5.3/patches/200-CVE-2019-6706.patch
@@ -0,0 +1,51 @@
+From 89aee84cbc9224f638f3b7951b306d2ee8ecb71e Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto at inf.puc-rio.br>
+Date: Wed, 27 Mar 2019 14:30:12 -0300
+Subject: [PATCH] Fixed bug in 'lua_upvaluejoin'
+
+Bug-fix: joining an upvalue with itself could cause a use-after-free
+crash.
+---
+ src/lapi.c   | 12 +++++------
+ 1 file changed, 41 insertions(+), 39 deletions(-)
+
+--- a/src/lapi.c
++++ b/src/lapi.c
+@@ -1254,13 +1254,12 @@ LUA_API const char *lua_setupvalue (lua_
+ }
+ 
+ 
+-static UpVal **getupvalref (lua_State *L, int fidx, int n, LClosure **pf) {
++static UpVal **getupvalref (lua_State *L, int fidx, int n) {
+   LClosure *f;
+   StkId fi = index2addr(L, fidx);
+   api_check(L, ttisLclosure(fi), "Lua function expected");
+   f = clLvalue(fi);
+   api_check(L, (1 <= n && n <= f->p->sizeupvalues), "invalid upvalue index");
+-  if (pf) *pf = f;
+   return &f->upvals[n - 1];  /* get its upvalue pointer */
+ }
+ 
+@@ -1269,7 +1268,7 @@ LUA_API void *lua_upvalueid (lua_State *
+   StkId fi = index2addr(L, fidx);
+   switch (ttype(fi)) {
+     case LUA_TLCL: {  /* lua closure */
+-      return *getupvalref(L, fidx, n, NULL);
++      return *getupvalref(L, fidx, n);
+     }
+     case LUA_TCCL: {  /* C closure */
+       CClosure *f = clCvalue(fi);
+@@ -1286,9 +1285,10 @@ LUA_API void *lua_upvalueid (lua_State *
+ 
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
+-  UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
++  UpVal **up1 = getupvalref(L, fidx1, n1);
++  UpVal **up2 = getupvalref(L, fidx2, n2);
++  if (*up1 == *up2)
++    return;
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+   (*up1)->refcount++;

More information about the lede-commits mailing list